blob: b69e004829a4fdaccd876049cf42259f4dc01013 (
plain) (
blame)
1
2
3
4
5
|
nvme: DMA reentrancy issue leads to use-after-free (CVE-2021-3929)
Description of problem:
A DMA reentrancy issue was found in the NVM Express Controller (NVMe) emulation. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This is similar to CVE-2021-3750 (https://gitlab.com/qemu-project/qemu/-/issues/541) and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.
This issue was reported by Qiuhao Li.
|